Hackers claim to have stolen personal data from Pizza Hut customers in a cyberattack they say also netted them information on 30 million orders for Margheritas, Hawaiians and Meat Lover’s products.
The number of Australians who had personal information taken is substantially smaller than the order information claimed: the hacker’s unverified claim was of obtaining data on 1 million people; Pizza Hut said 193,000 were affected.
A hacking group called ShinyHunters claimed responsibility for the breach earlier this month, via the anonymous industry site Data Breaches. The group demanded a $US300,000 ($464,000) ransom, the site reported. Pizza Hut confirmed the intrusion in an email to customers on Wednesday.
The chain’s Australian chief executive, Phil Reed, apologised to customers for “any concern that this incident may have caused”.
Investigations by the company to date had confirmed the exposed information included customer names, delivery addresses, emails, phone numbers and “unusable masked credit card data”.
He said that “only a small proportion of customers on our database” had their information taken and the chain, which was recently purchased by the US food giant Flynn Restaurant Group from its previous private equity owners Allegro Funds, had informed the Office of the Australian Information Commissioner.
A Pizza Hut spokeswoman said there was no evidence to suggest the misuse of any customer information.
“It is also worth noting that Pizza Hut Australia does not collect any government identity documents or sensitive information and secures all account user passwords with strong one-way encryption,” she said.
Hacking groups sometimes overstate the extent of their attacks to generate fear in their targets, but it is also common for the size of a breach to grow as investigations proceed.
Many Australians’ personal data has already been exposed online as part of the massive Medibank, Latitude Financial and Optus hacks, which included much more sensitive information than the Pizza Hut breach.
The federal government’s official advice for companies is to not pay ransoms on the basis that it encourages further hacking attempts.
The government is working on a new cybersecurity strategy that is due to be released later this year. Cybersecurity Minister Clare O’Neil has said she wants Australia to be among the most digitally secure by the end of the decade, pledging to work with its partners in the Quad grouping of countries to create incentives for safer software.